Hacking a Facebook app != hacking Facebook

Silicon Alley Insider has a story with a we’re-really-not-trying-that-hard-but-sensationalism-just-comes-naturally-to-us headline boldly proclaiming that they can teach you How To Hack Facebook In 51 Seconds. Take a look a the video below and see what you think.

Wrong! Yeah, that’s what I thought too. That’s not Facebook. That’s a Facebook app. A custom application, written by an external developer who really doesn’t care about security a whole lot. There’s a big difference between hacking Facebook (exposing contact or personal details, gaining access to passwords etc) and hacking a Facebook application (in this case, changing your friend’s mood). Yes, that may cause some strange questions from your friends (“Why are you feeling like murdering kittens?”), but one poorly written app does not mean that the security of Facebook as a whole has been compromised. Great headline, totally inaccurate subject matter.

The source for this story was probably this review of the app from a day earlier which links to the Youtube video and highlights this exact problem in the environment where it is actually meaningful and would be most effective (if people actually bothered to read reviews before installing apps). The original poster even accurately characterized this as a hackable app, not a core breach of the mothership.

Here’s a fix for SAI – update the title to be “How To Hack the Facebook Moods App In 51 Seconds”. Still fairly interesting, and about 100% more accurate. This time the discussion could even focus on more relevant questions, like whether Facebook should be certifying apps once they hit a certain size.